Governance & Risk Management,
Healthcare,
Industry Specific
Settlement Approved in Class Action Linked to Former Employee’s Data Breach
A federal court has granted preliminary approval of a $5 million settlement concerning class action litigation against Pennsylvania’s Geisinger Health and Microsoft subsidiary Nuance Communications, following a 2023 data breach that compromised the personal information of over 1 million patients.
The breach involved Max Vance, a former employee of Nuance, who allegedly accessed patient data just two days after his termination. This information reportedly included sensitive patient details, such as names, Social Security numbers, birth dates, and health records.
Geisinger Health reported the incident in 2023, taking immediate action by cutting the former employee’s access to their systems. However, the organization delayed notifying the 1.2 million affected patients until June 2024, citing an ongoing law enforcement investigation into the breach.
Geisinger operates as a significant healthcare provider across Pennsylvania, serving diverse communities and generating substantial revenue, reflecting its pivotal role in not just healthcare delivery but also data governance.
In conjunction with the civil suit, Vance faces federal criminal charges under the Computer Fraud and Abuse Act, with jury selection for his trial now scheduled for January 5, 2026. This case underscores the increasing scrutiny and legal ramifications associated with insider threats in the healthcare sector, a critical area often targeted in cyber-attacks.
The approved settlement offers class members two compensation options, including reimbursements for actual losses and complimentary credit monitoring services. Notably, Geisinger Health clarified that neither they nor their insurer would be responsible for covering the settlement costs.
A comprehensive amended class action complaint had previously claimed that Geisinger and Nuance failed to adequately safeguard sensitive information, leading to the legal proceedings that culminated in this settlement. While details about monetary awards to lead plaintiffs and attorney fees remain unclear, stakeholders in cybersecurity should remain vigilant about the implications of negligence in data protection practices.
This case illustrates potential tactics employed by the adversaries involved, including initial access through insider threats and privilege escalation post-employment, as referenced in the MITRE ATT&CK framework. Organizations must bolster their security posture, particularly regarding access management and insider threat detection, to mitigate similar risks in the future.
